Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 945167 (CVE-2024-47855)

Summary: <dev-util/jenkins-bin-{2.479.2:lts,2.487:0}: Denial of Service
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: ajak, graaff, hydrapolic, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.jenkins.io/security/advisory/2024-11-27/
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 946054    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2024-11-28 06:47:03 UTC 
Jenkins uses the library org.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project’s fork of net.sf.json-lib:json-lib, which has since been renamed to org.kordamp.json:json-lib-core.

Jenkins LTS 2.479.1 and earlier, 2.486 and earlier bundles org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier. These releases are affected by CVE-2024-47855.

In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins. Additionally, the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket. Additionally, other features of Jenkins or plugins that process user-provided JSON may be affected, resulting in those features being blocked.

The fix for CVE-2024-47855 in org.kordamp.json:json-lib-core has been backported to org.kohsuke.stapler:json-lib and released in version 2.4-jenkins-8. Jenkins LTS 2.479.2, 2.487 bundles org.kohsuke.stapler:json-lib 2.4-jenkins-8.